Those are big numbers that would probably take at least a whole year if you were to type every combination out. However we have computers.

According to Gibson Research a simple password such as ‘Y3l!ow’ (6 characters) could only take 0.00743 seconds to crack even with 735091890625 possible combinations. In under a second, your savings account would be gone. This is known as a brute force attack.

However by simply having a longer password length such as ‘Y3l!owd0lpH1n!’ (13 characters), it now takes 16500 years to crack. Holy.

The amount of guesses exponentially grows when more characters are added. So it doesn’t really matter how good your password is unless it’s really really long. But that’s only the start.

How so fast?

Hackers aren’t stupid. They’re probably a lot smarter than you and I (or at least media makes them out to be e.g. Felicity Smoak). They know that people like you and I have common patterns when formulating our passwords.

Passwords are more likely to start with an uppercase letter than a lowercase. This can be penetrated using a mask attack.

Numbers are most likely appended onto the end. This is also a mask attack.

Tools such as oclHastcat are able to target every single one of these common scenarios. But luckily our security teams aren’t stupid either! There are safeguards is place.

One method to stop brute force attacks is to lockout attempts after a certain number of tries.

Some sites like to verify the location you’re logging in and ensure it isn’t a outlier such as China or Russia. Google does this and notifies you in your GMail if something’s up.

Many sites use two-step verification by sending a message or code to your phone or other device.

Sites like to enforce strong password rules so that hackers must test all 95 characters instead of just lowercase letters

How do I make a strong password?

So how do you make a strong password? You slam random keys on your keyboard until its long enough and random enough. But then how will you remember it? To tell you the truth, I don’t, my password manager does.

There are dozens of password managers out there like LastPass (what I use), KeePass, Dashlane and 1Password. They generate and remember passwords for you, you just have to remember one password to unlock the vault and you better make sure its a good one. Some store credentials on their own servers while others ensure you have an encrypted file that you personally look after.

Plugins and addons are available for popular browsers as well. They recognise login forms and can autofill them when necessary. Mobile applications for the various managers are also available either official or third-party.

My definition of a strong password

Although subject to change (and criticism) my definition of a strong password is: